Add WebSockets connection pool limit when shields are enabled. #11609
Conversation
goodov
force-pushed
the
issues/19990
branch
2 times, most recently
from
e75a1a3
to
a5cddac
Compare
|
Most probably we don't need a formal sec review, but I'd double-check with someone from the sec team. Maybe @fmarier you could take a quick look? |
| @@ -40,5 +40,9 @@ const base::Feature kFileSystemAccessAPI{"FileSystemAccessAPI", | |||
| const base::Feature kPartitionBlinkMemoryCache{ | |||
| "PartitionBlinkMemoryCache", base::FEATURE_DISABLED_BY_DEFAULT}; | |||
|
|
|||
| // Enable WebSockets connection pool limit per eTLD+1 for each renderer. | |||
| const base::Feature kRestrictWebSocketsPool{"RestrictWebSocketsPool", | |||
| base::FEATURE_DISABLED_BY_DEFAULT}; | |||
There was a problem hiding this comment.
perhaps we can enable by default, the change doesn't look very dangerous?
There was a problem hiding this comment.
👌 I'll make it enabled by default and will add a brave://flag to be safe.
| @@ -0,0 +1,60 @@ | |||
| /* Copyright (c) 2020 The Brave Authors. All rights reserved. | |||
There was a problem hiding this comment.
is almost 2022! (in all files)
|
perhaps a browser test? |
of course. currently working on it. |
goodov
force-pushed
the
issues/19990
branch
2 times, most recently
from
00a5a0f
to
849b8d1
Compare
There was a problem hiding this comment.
Most probably we don't need a formal sec review, but I'd double-check with someone from the sec team.
The high-level approach sounds good to me. It's not adding (or really modifying) any new networks requests, so I don't think we need to do a full sec review.
I assume @pes10k has confirmed that this mitigation is effective against the pool party attack?
|
Yep! Limiting each eTLD+1 to a maximum of 10 websockets would effectively defeat the attack (an attacker could hypothetically still carry out the attack by controlling ~20 domains at the same time, and coordinating between them, but this approach makes the attack sufficiently difficult to carry out that I think we can consider it solved (at least when carried out through the WebSocket pool, which is the most concerning example). Just to confirm @goodov, this PR does
but not
Is that correct? |
yes, that is correct! |
| if (auto* top_frame_security_context = | ||
| frame->Top()->GetSecurityContext()) { | ||
| return top_frame_security_context->GetSecurityOrigin() | ||
| ->GetOriginOrPrecursorOriginIfOpaque(); |
There was a problem hiding this comment.
see SandboxedFramesAreLimited test.
goodov
force-pushed
the
issues/19990
branch
3 times, most recently
from
56dc1ab
to
68176d5
Compare
|
@bridiver |
|
|
||
| namespace blink { | ||
|
|
||
| class MODULES_EXPORT WebSocketChannelImpl |
There was a problem hiding this comment.
Should we restore finality here?
| const String& resource_id_in_use() const { return resource_id_in_use_; } | ||
|
|
||
| private: | ||
| String resource_id_in_use_; |
There was a problem hiding this comment.
Nit: seems like this and the getter could just be called resource_id_/resource_id()?
|
|
||
| MutexLocker locker(resources_in_use_lock_); | ||
| // `insert` doesn't change the value if it already exists. | ||
| int& resource_in_use_value = |
There was a problem hiding this comment.
Nit: resource_in_use_count might be a bit more clear.
| int GetResourceLimit(ResourceType resource_type) { | ||
| switch (resource_type) { | ||
| case ResourceType::kWebSocket: | ||
| return 10; |
There was a problem hiding this comment.
Should this be hard-coded? Would it make sense to make it a feature param, for example, and control it via Griffin?
|
@mkarolin turned out we want to merge it asap, would you mind approving it and then we can do a follow-up? |
No problem. |
Resolves brave/brave-browser#19990
Submitter Checklist:
QA/YesorQA/No;release-notes/includeorrelease-notes/exclude;OS/...) to the associated issuenpm run test -- brave_browser_tests,npm run test -- brave_unit_tests,npm run lint,npm run gn_check,npm run tslintgit rebase master(if needed)Reviewer Checklist:
gnAfter-merge Checklist:
changes has landed on
Test Plan: